RAYVN and GDPR
In May 2018, a new EU-wide regulation, GDPR (General Data Protection Regulation), went into effect. This new regulation builds upon previous legislation and directives regarding privacy, data protection and information security, but strengthens individuals’ protections and rights in several areas and places clearer duties and accountability on companies handling personal data.
2. Personal Data
GDPR applies to personal data, in a wide sense, i.e. any information about, or that can be traced back to, individuals.
Traditional examples of personal data (or ‘personally identifiable information’, PII) are directly identifying data (e.g. name, social security number, phone number, bank account number), but the term also includes anything an individual has authored (e.g. messages, login credentials, written evaluations, program settings, form data) as well as information about an individual (e.g. religious and organizational affiliations) and data that’s being automatically generated based on the individual’s actions(e.g. location data, ad profiling, usage logs including IP addresses).
In other words, the regulation will affect any and all companies even if the data in question is as innocuous as a list of contact information for its employees or customers.
Data that are stored and handled pseudonymously (i.e. information that isn’t directly identifying, for example a candidate number - or data that’s ‘hidden’, e.g. by encryption), but still identifiable in combination with data from other sources or by patterns inside the information itself, are still considered personal data - although pseudonymization could be described as an appropriate measure for reducing the consequences of a data leak (‘loss of confidentiality’).
Only completely anonymous data, fully decoupled from identity in a non-reversible way, falls outside the scope of the regulation, e.g. statistically aggregated data from a large enough population (to ensure that an individual’s effect on the aggregate is impossible to identify).
The purpose of the regulation, as RAYVN understands it, is twofold:
- Primarily, GDPR focuses on giving the registered individuals (‘data subjects’) awareness of, insight into, real influence over and ownership of personal data relating to themselves. The means to obtaining these ends are laid down in several rights the individuals (data subjects) have, as well as responsibilities the handling companies have. More on these topics in sections 4 to 6, below.
- Secondly, GDPR aims to unify data protection legislation across borders (the regulation does not require national governments to ratify it - it is directly binding for all member states of the EU, and will likely be applicable in the entire EEA), thus creating a simplified regulatory environment for companies handling personal data.
4. Roles and scope
There are several defined roles which affect rights, responsibilities, and accountability as they pertain to GDPR:
- Data subject: The registered individuals; the subjects that the personal data concerns.
- Data controller: An organization, typically a company, that decides a) what data will be stored/processed, b) the purpose for which such data is stored/processed, and c) the means and methods of the data storage/processing.
The data controller is ultimately responsible for implementing appropriate measures ensuring that the requirements of GDPR are adhered to, both in its own organization and by subcontractors, such that the data subjects can exercise all their rights according to GDPR and such that none of the provisions are violated.
- Data processor: An organization, typically a subcontractor of the data controller, that stores/processes personal data on behalf of and according to the directions of the data controller.
GDPR applies to any data subject, data controller, or data processor that is based in the EU, as well as for personal data of any EU resident even if the controller and/or the processor(s) are based outside the EU.
In order to protect the security (confidentiality, integrity and availability as they are commonly defined and understood in the information security field) of your data and the systems and services that process it, we will assess the related risks (threats, probabilities and consequences) and implement both technical and organizational measures as appropriate (taking assumed costs and effectiveness of the measures into account).
Please understand that the landscape of threats and tools changes all the time, sometimes overnight, and that ensuring acceptable security over time requires a continual process of evaluation and improvement. Indeed, no process can guarantee the absolute safety of your data, but we do our best to keep in line with best industry practices and to update our routines and systems as needed.
In the unfortunate event of a data breach, we will notify the involved and interested parties, including the relevant supervisory authority, in accordance with the GDPR, Article 33 and 34.
GDPR grants several rights to individuals (data subjects) regarding storage and processing of, as well as access to, their own personal data:
- Information about registration: Data subjects must be able to get information about the terms of the storage/processing of their own personal data, e.g. what kind of data is being stored/processed, for what purpose, for how long, etc.
- Access to data: Data subjects must be able to access and review their own personal data (with some exceptions).
- Rectification of data: There must exist a process for data subjects to be able to notify the controller about incorrect/incomplete data and/or, whenever appropriate, to be able to correct and/or complete their own personal data.
- Restriction of storage/processing of data: Data subjects must at any time be able to signal their objection, or withdrawal of prior consent, to store/process their own personal data.
- Erasure of data: There must exist a process for data subjects to be able to request the erasure of their own personal data and for the request to be considered and handled within a reasonable time frame.
- Portability of data: Data subjects must be able to export their own personal data to a standard, open, electronic, and machine-readable format, so that they can bring with them their data to a different provider without hindrance by the data controller.
In some cases, an individual’s rights or interests may be in opposition to the legitimate interests of a data controller or other parties (employers, national governments, etc.). This document only gives an overview of the basic rights and responsibilities put forth by the GDPR, as currently understood by RAYVN. As such, a detailed discussion of exceptions, borderline cases, and legal precedents is outside the scope of this document.
8. Changes to This Policy
Your continued use of our services, after the changes take effect, will be regarded as your acceptance of the changes. Consequently, if you do not agree to the changes, we will unfortunately have to require you to stop using our services before the changes take effect. We hope you appreciate that this is a requirement that is necessary for us to deliver consistent services, under the same rules, to everyone.
9. How to Contact Us